Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Breaches

Snowflake Data Breach Impacts Ticketmaster, Other Organizations

Ticketmaster and other organizations have been affected by a data breach at cloud AI data platform Snowflake.

Snowflake hack

Ticketmaster and multiple other organizations have had significant amounts of information stolen in a data breach at cloud storage company Snowflake, security researchers report.

The theft of Ticketmaster data came to light last week, when a notorious hacking group claimed to have exfiltrated the information of 560 million users, asking $500,000 for the data.

In an SEC filing late last week, Ticketmaster parent company Live Nation Entertainment confirmed unauthorized access to “a third-party cloud database environment” mainly containing data from the online ticket sales platform.

“On May 27, 2024, a criminal threat actor offered what it alleged to be company user data for sale via the dark web. We are working to mitigate risk to our users and the company, and have notified and are cooperating with law enforcement,” the filing reads.

While Live Nation Entertainment does not name the third-party services provider responsible for the breach, the threat intelligence community has learned that it’s Snowflake, a cloud AI data platform that thousands of companies use for storing, managing, and analyzing large volumes of data.

On May 31, Snowflake revealed that it was investigating a cyber incident impacting a limited number of customers, after threat actors targeted customer accounts that only had single-factor authentication.

“As part of this campaign, threat actors have leveraged credentials previously purchased or obtained through infostealing malware,” Snowflake said in a statement on its community forums.

The company said it found no evidence that the malicious campaign was the result of a vulnerability or breach of its platform, or of “compromised credentials of current or former Snowflake personnel”.

Advertisement. Scroll to continue reading.

The statement, however, did reveal that the personal credentials of a former employee were compromised and used to access demo accounts that did not contain sensitive data.

“Demo accounts are not connected to Snowflake’s production or corporate systems. The access was possible because the demo account was not behind Okta or Multi-Factor Authentication (MFA), unlike Snowflake’s corporate and production systems,” the company said.

In a separate knowledge base article, the company warned of “an increase in cyber threat activity targeting some of our customers’ accounts”, once again underlining that credential stuffing was to blame, and not a vulnerability, misconfiguration, or Snowflake system compromise.

“Throughout the course of our ongoing investigation, we have promptly informed the limited number of customers who we believe may have been impacted,” the company said.

The knowledge base article also provides indicators of compromise (IoCs) and recommended mitigations for organizations that identify suspicious activity on their accounts.

Teenagers reportedly behind Snowflake hack

Last week, in a conversation with Hudson Rock, a threat actor that claimed responsibility for the Snowflake campaign said they accessed data from organizations such as Anheuser-Busch, Allstate, Advance Auto Parts, Mitsubishi, Neiman Marcus, Progressive, Santander Bank, and State Farm, in addition to Ticketmaster.

Santander Bank disclosed unauthorized access to one of its databases hosted by a third-party provider in mid-May, saying that the information of customers in Chile, Spain, and Uruguay, along with data on all former and current employees was compromised.

Overall, roughly 400 organizations might have been impacted by the Snowflake incident, the threat actor claimed, noting that they wanted to receive $20 million from Snowflake in exchange for the data.

The attackers also claimed the compromise of a Snowflake employee’s ServiceNow account, the bypass of Okta protections, and gaining the ability to generate session tokens, which allowed them to steal massive amounts of data, Hudson Rock noted in a now-deleted post.

The threat actor also provided Hudson Rock with a CSV file containing data on more than 2,000 customer instances running on Snowflake’s servers, including information on a Snowflake employee infected with an infostealer in October 2023.

“Reports indicated that over 500 demo environment instances were detected in the stealer logs linked to the compromised Snowflake account,” SOCRadar notes in its analysis of the attacks.

The Australian Cyber Security Center, in the meantime, announced that it was aware of “successful compromises of several companies utilizing Snowflake environments”, and that it was tracking increased threat activity relating to Snowflake customer environments.

Snowflake may claim that it was not the victim of a data breach, but the attackers’ claims and Snowflake’s own statement show otherwise, security researcher Kevin Beaumont points out: one of their employees’ accounts was not properly secured and the employee was infected with an infostealer.

Thus, the researcher says, while it tries to blame its customers for the activity of the threat actor, Snowflake too is responsible for the incident.

“Snowflake themselves fell into this trap, by both not using multi factor authentication on their demo environment and failing to disable a leaver’s access,” the researcher says.

According to Beaumont, the threat actor behind the incident is a group of teenagers “active publicly on Telegram for a while” who relied on infostealers to access Snowflake databases using customers’ stolen credentials.

The threat actor, SOCRadar notes, first appeared on a dark web forum on May 23, when they boasted about the Santander Group breach using the “Whitewarlock” alias and asking $2 million for the data.

“Whitewarlock’s activities and reputation within the cybersecurity community remain unclear, with no prior known history. Their sudden appearance and the specific demands suggest a potentially opportunistic attack rather than a coordinated campaign,” SOCRadar notes.

Snowflake customers are advised to disable accounts that are no longer active, to make sure they have MFA enabled, to reset credentials for active accounts, and to apply the mitigation recommendations provided by the cloud storage provider.

Update: According to Mandiant, a financially motivated threat actor tracked as UNC5537 compromised hundreds of Snowflake instances using customer credentials stolen via infostealer malware that infected non-Snowflake owned systems. Mandiant published a 65-page threat hunting guide on June 17th to help organizations look for abnormal and unauthorized activity in their Snowflake instances.

Related: Hackers Boast Ticketmaster Breach on Relaunched BreachForums

Related: BBC Data Breach Impacts 25,000 Employees

Related: Okta Warns of Credential Stuffing Attacks Targeting Cross-Origin Authentication

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Gabriel Agboruche has been named Executive Director of OT and Cybersecurity at Jacobs.

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

More People On The Move

Expert Insights